Delta Confirms Breach Of Customer Payment Details

Hackers have had access to Delta customer payment data for over six months after third party breach

US airline Delta Air Lines and American department store Sears Holding have both confirmed a data breach, after an incident involving a third party tech provider.

Delta said that it was notified last week by [24]7.ai, a company that provides online chat services for Delta and others (including Sears) of a ‘cyber incident’ between 26 September to 12 October 2017.

Details stolen include “certain customer payment information”, but the airline said that no other customer personal information (passport, government ID, security or SkyMiles information) was affected.

Data breach

“Upon being notified of [24]7.ai’s incident, Delta immediately began working with [24]7.ai to understand any potential impact the incident had on Delta customers, delta.com, or any Delta computer system,” the airline said. “We also engaged federal law enforcement and forensic teams, and have confirmed that the incident was resolved by [24]7.ai last October.

The airline said it would launch delta.com/response, a dedicated website on 5 April, where it will provide regular updates to address customer questions and concerns.

[24]7.ai in its own statement did not reveal how the attackers managed to penetrate its systems.

Sears was reportedly informed the incident in earlier than Delta (in mid-March), and it has had unauthorised access to credit card information of under 100,000 of its customers.

Long delay

But the data breach raised questions about the management of third-party products and the security implications this brings, as well as why it took six months to report the breach.

“Delta Airlines have been breached by proxy – a third-party data processing system has been accessed, and Delta customer information has been exposed,” commented Laurie Mercer, solutions engineer at HackerOne.

“This raises many questions about how can we secure data that we enter into 3rd party systems, about how we can manage the security of vendors,” said Mercer. “Today consumers are asking more and more questions about where our data resides, and how our data is being protected. These concerns are reflected in legislation like the General Data Protection Regulation in the EU. This breach highlights the importance of securing the vendor ecosystem as well as our own in-house systems.”

“The important part now is to handle the customer relations with transparency, and also to review the trusts between their own organisation and their service providers,” added Martin Jartelius, CSO at Outpost24. “The breach occurred last year and remain undetected until a week ago. Customers should always be attentive to their card transactions.”

Other experts also picked up the six month delay in reporting the breach.

“There are some interesting questions to ask in response to this disclosure,” asked Craig Young, computer security researcher at Tripwire. “Why was the breach window so short? Were the attackers discovered and booted back in October? If so, why is it that we are only learning of the breach nearly six months later?”

“If not, how can (24)7.ai be so confident of the scope of the breach?,” said Young. “Were payment card providers notified sooner? Time is a critical factor for preventing fraud whenever there is a breach of financial data. Delta has assured customers that they won’t be held responsible for fraudulent charges but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope that they will ever be connected to this breach.

The fact that hackers have gained access to payment card information was also noted by Lee Munson, security researcher at Comparitech.com.

“Obviously the big negative here is the fact that customers have potentially had their payment card data swiped, though the unknown factor is whether or not that information was encrypted, or how,” said Munson.

“From an incident response point of view, it is a shame to learn to the attack has only now come to light, having occurred and been spotted last year, though we are, of course, unaware of when affected customers were notified,” he said. “On a more positive note, no personal information was stolen and Delta was quick to examine the breach and learn lessons from it.